3 # Sign a module file using the given key.
5 # Format: sign-file <key> <x509> <keyid-script> <module>
10 CONFIG_MODULE_SIG_SHA512=y
23 echo "Can't read private key" >&2
29 echo "Can't read X.509 certificate" >&2
34 # Signature parameters
36 algo=1 # Public-key crypto algorithm: RSA
37 hash= # Digest algorithm
38 id_type=1 # Identifier type: X.509
44 if [ "$CONFIG_MODULE_SIG_SHA1" = "y" ]
46 prologue="0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14"
49 elif [ "$CONFIG_MODULE_SIG_SHA224" = "y" ]
51 prologue="0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1C"
54 elif [ "$CONFIG_MODULE_SIG_SHA256" = "y" ]
56 prologue="0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20"
59 elif [ "$CONFIG_MODULE_SIG_SHA384" = "y" ]
61 prologue="0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30"
64 elif [ "$CONFIG_MODULE_SIG_SHA512" = "y" ]
66 prologue="0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40"
70 echo "$0: Can't determine hash algorithm" >&2
75 perl -e "binmode STDOUT; print pack(\"C*\", $prologue)" || exit $?
76 openssl dgst $dgst -binary $mod || exit $?
77 ) >$mod.dig || exit $?
80 # Generate the binary signature, which will be just the integer that comprises
81 # the signature with no metadata attached.
83 openssl rsautl -sign -inkey $key -keyform PEM -in $mod.dig -out $mod.sig || exit $?
84 siglen=`stat -c %s $mod.sig`
86 SIGNER="`perl $keyid_script $x509 signer-name`"
87 KEYID="`perl $keyid_script $x509 keyid`"
88 keyidlen=$(echo -n "$KEYID" | wc -c)
89 signerlen=$(echo -n "$SIGNER" | wc -c)
92 # Build the signed binary
96 echo '~Module signature appended~' || exit $?
97 echo -n "$SIGNER" || exit $?
98 echo -n "$KEYID" || exit $?
100 # Preface each signature integer with a 2-byte BE length
101 perl -e "binmode STDOUT; print pack(\"n\", $siglen)" || exit $?
102 cat $mod.sig || exit $?
104 # Generate the information block
105 perl -e "binmode STDOUT; print pack(\"CCCCCxxxN\", $algo, $hash, $id_type, $signerlen, $keyidlen, $siglen + 2)" || exit $?
108 mv $mod~ $mod || exit $?